Shirt Pocket SuperDuper! Privilege Escalation Vulnerability Allowing Arbitrary Package Installation
Vulnerability
A vulnerability in Shirt Pocket's SuperDuper! backup software, specifically in versions through 3.11, allows local attackers to alter the default task template. This modification can be used to install arbitrary packages that execute shell scripts with root privileges and Full Disk Access, effectively circumventing macOS privacy protections.
Impact
Exploitation of this vulnerability could lead to unauthorized root access, allowing the execution of malicious scripts with full administrative rights and unrestricted access to the user's files and data.
Remediation
Users can upgrade to SuperDuper! version 3.12, which addresses this vulnerability by removing the option to install packages that could execute harmful scripts with elevated privileges. This update is available through the application's normal update process or can be downloaded directly from the Shirt Pocket website.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.